Product roundup: Features of top SIEM software on the market

AlienVault Inc. USM Anywhere

AlienVault Unified Security Management (USM) Anywhere is a cloud-based, SaaS platform.

The product's core SIEM software functions include log collection, event management, event correlation and reporting. USM Anywhere enables the centralized storage of all log data in the AlienVault Secure Cloud, a certified-compliant environment. This alleviates the company's burden of having to manage and secure logs on premises, while also providing a compliance-ready log management environment.

Going beyond a traditional SIEM product, USM Anywhere combines multiple unified security capabilities that enable threat detection and incident response: asset discovery, vulnerability assessment, intrusion detection -- network, host and cloud -- endpoint detection and response, file integrity monitoring, security orchestration and automation, and continuously updated threat intelligence from the AlienVault Labs Security Research Team, which is backed by the Open Threat Exchange.

USM Anywhere delivers multiple security capabilities in a single SaaS offering. Both automated and orchestrated, these capabilities give security professionals the tools and information they need to manage threat detection, incident response and compliance, the company claims.

The company also utilizes an alarm dashboard, named the Kill Chain Taxonomy, to focus attention on the most severe threats. Security analytics enable security professionals to drill down into alarms to see the related assets, vulnerabilities and events.

USM Anywhere also delivers a library of predefined report templates for a number of standards and regulations. These reports can help accelerate security and compliance reporting requirements and assist with audit readiness. It also includes more than 50 predefined event reports by data source and data source type, helping to make daily monitoring and reporting activities more efficient.

As a subscription-based cloud service, USM Anywhere is available in three editions -- Essentials, Standard and Enterprise -- for organizations of all sizes and budgets. Pricing for USM Anywhere Essentials Edition starts at $1,695 per month.

IBM QRadar

Version 7.3.1 of IBM QRadar integrates with more than 450 log sources and offers a universal Device Support Module to help organizations ingest data across on-premises and cloud-based resources.

The product parses and normalizes log data from endpoints, assets, users, applications and cloud resources. QRadar then correlates this data to network flows, vulnerability scanner results and threat intelligence to identify both known threats and anomalous network and system activity. These might be the symptoms of an unknown threat.

Connected activity automatically links and aggregates into an offense, and IBM QRadar then prioritizes these offenses based on the severity of the issue and the sensitivity of the assets involved. QRadar's approach to offenses helps distill massive volumes of data into a handful of precise, actionable alerts. The platform includes hundreds of prebuilt rules, and organizations can add reports, dashboards, integrations and additional prebuilt rules from the IBM Security App Exchange.

Organizations may deploy QRadar on premises as hardware or software, in public and private clouds, or via any of IBM's managed security services provider partners. Flexible architecture can start small with an all-in-one system with a console, event collector and event processor, and can then scale out into highly distributed environments with separate collectors, processors and consoles.

QRadar SIEM software is central to the IBM Security Intelligence Platform. The platform extends beyond standard SIEM capabilities to include:

1. QRadar Network Insights, which provides real-time packet inspection to identify malware, monitor the transfer of sensitive data and identify data exfiltration; and
2. QRadar User Behavior Analytics, which uses a combination of rules, anomaly detection and machine learning algorithms to identify malicious insiders and compromised credentials.

Other capabilities include QRadar Advisor with Watson, which applies artificial intelligence to automatically mine local QRadar data to uncover the root cause and true scope of a threat within the environment.

It also includes the QRadar Data Store, which offers fixed-price log storage, enabling organizations to store massive amounts of data without having to correlate everything. This helps organizations address regulatory requirements and maintain data that may be relevant to future investigations and threat hunting.

QRadar offers more than 1,600 customizable reports that are categorized based on compliance, executive and operational summary reports, security overview reports, network activity and management reports, applications, and device-level reports.

Licensed based on events per second (EPS), the product's starting price for an all-in-one virtual appliance with 100 EPS is $10,700, and the starting price for QRadar on Cloud with 100 EPS is $800 per month. Volume discounting is available.

LogRhythm Inc. Security Intelligence Platform

LogRhythm version 7.4 features several core capabilities, including a big data analytics architecture; advanced data processing; centralized visibility into security alerts and alarms; centralized visibility into forensic data; and the ability to apply artificial intelligence, complex scenario modeling, and deep behavioral analytics across a 360-degree view of forensic data. Other features include case management, which enables security teams to engage in workflows using a centralized and secure case management facility; task automation; and automatically guided workflows.

According to the company, more granular measurements, such as time to qualify and time to investigate, can help analysts understand workflow effectiveness. These performance metrics can help uncover opportunities to improve operational efficiency, including identifying tasks better-suited for automation and allowing security leaders to measure and report on the effectiveness of security programs. 

Pricing for the LogRhythm platform begins at $43,500, with subscription options also available. Designed with that in mind, its modular architecture delivers enterprise scalability to meet long-term needs, regardless of changing performance, storage and geographic requirements, the company claims.

McAfee LLC Enterprise Security Manager (ESM)

McAfee's Enterprise Security Manager (ESM) is a SIEM software tool for commercial, enterprise and government organizations, as well as managed security service providers. ESM delivers risk and threat protection based on a SIEM architecture built for big data security analytics.

ESM collects logs from hundreds of data sources, integrates them with dozens of partners and supplements events with threat intelligence, providing actionable intelligence and real-time threat management with new cybersecurity protections. An embedded compliance framework and Content Packs simplify its security and compliance operations.

Enterprise Security Manager 11.1 is the current version, as of this writing. Version 11 introduced features including:

1. flexible data architecture, which is an open and scalable data bus that shares large data volumes;
2. scalable Ingestion and Query Performance, which provide horizontal expansion with high availability and the ability to rapidly query billions of events; and
3. expanded cloud support for hardware virtual machine for AWS, Office 365, Azure, Xen, Hyper-V and a generic cloud API to on board cloud data sources.

ESM is available as an appliance or virtual machine that users can mix and match. ESM models include all-in-one models and discrete appliances, and it can be deployed on premises, in the cloud or in a hybrid environment. It supports deployments on AWS, Azure, Hyper-V, VMware and Xen.

While ESM provides the core SIEM capabilities, other components include high-speed data collection and event correlation, elastic search for fast querying of events, archival of raw events for compliance and forensics, and layer 3 and 7 application-level monitoring.

The Advanced Correlation Engine delivers rule-based and statistical and behavioral-based analytics for billions of events. McAfee Global Threat Intelligence can augment threat detection and investigation with a proprietary feed of potentially malicious and known-bad IP addresses.

Other security features of ESM include free Content Packs, McAfee's version of an app store that provides prebuilt use cases, and ESM's Cyber Threat Manager, which consumes threat intelligence and indicators of compromised data, enabling back tracing and the creation of a watchlist.

ESM also includes a case management system to track incident investigation, take notes and enable remediation via integrations within the McAfee product ecosystem and any third-party product that supports actions via URL, command line, APIs or Data Exchange Layer. When higher volumes or complexities dictate more orchestration, ESM integrates with partners, including ServiceNow, Phantom, Swimlane and Demisto.

ESM provides more than 800 report templates that cover areas such as compliance, security, applications, databases, network flow, risks and executive content. Users can create and modify reports using a wizard.

Appliances are rated and sold by their ability to handle a certain event-per-second capacity rather than a price per data source or price per EPS. There are no enforced EPS limits on an ESM appliance and no licensing costs for added data sources.

VMs are licensed using the same philosophy and sold by the number of CPU cores needed to support a given EPS. This allows customers to add cores as needed without replacing hardware. Pricing for a common, all-in-one, VM-based SKU targeted at smaller customers is $40,000 to $50,000.

Rapid7 Inc. InsightIDR

Rapid7's InsightIDR is a cloud-based incident detection and response platform that can help security practitioners identify and investigate threats and targeted attacks. InsightIDR combines SIEM software with user and attacker behavior analytics, endpoint detection, and response agents so users can identify a compromise as soon as it occurs and contain it as quickly as possible.

One of the key features of the software is User Behavior Analytics, which continuously baselines healthy user activity across the organization. This could be the best SIEM product for a company, as this extends beyond defined indicators of compromise so that security professionals can detect attackers impersonating employees, as well as insider threats.

In addition, Attacker Behavior Analytics take Rapid7's knowledge of prior attack activity and turns it into intelligence that can help security professionals detect attacks early.

Rapid7 also includes endpoint detection and visibility. With the tool's Insight Agent, security teams can detect known and unknown malware, grab forensic artifacts on demand, and take containment actions for detected threats from within InsightIDR. The Centralized Log Management feature links millions of daily events in one setting directly to the users and assets behind them. InsightIDR comes with a fast log search, prebuilt compliance cards and dashboards for simple, consistent reporting.

For any alert in InsightIDR, automated actions can fire to accelerate case management and threat containment. This includes creating cases in third-party ticketing systems, as well as taking direct action on user accounts and endpoints.

In addition, deception technology enables security professionals to add important monitoring opportunities and trick attackers with traps such as honeypots, honey users, honey credentials and honey files. These traps find behaviors that log analysis alone can fail to catch.

InsightIDR allows users to create reports out of custom dashboards, generating reports either once or on a preconfigured schedule.

Rapid7 prices InsightIDR based on the total number of assets in an organization.

RSA NetWitness Platform

RSA NetWitness Platform is comprised of RSA NetWitness Logs, RSA NetWitness Network and RSA NetWitness Endpoint. RSA NetWitness UEBA -- User and Entity Behavior Analytics -- and RSA NetWitness Orchestrator augment the core platform with behavioral analytics and security orchestration, automation, and response capabilities.

The platform features a Security Analytics Engine, which enables analysts to detect and respond to threats throughout an organization's infrastructure, including in the cloud, virtualized systems and containerized resources.

Organizations can deploy components in any combination of software or physical or virtual appliance, as well as within cloud environments.

The RSA NetWitness Logs, Network and Endpoint modules can be deployed individually or together, and they support a range of third-party data sources and applications.

RSA NetWitness UEBA provides unsupervised, fully automated, and continuous threat detection and monitoring using a turnkey data science model. RSA NetWitness Orchestrator provides security automation and orchestration capabilities that can enable analysts to rapidly investigate incidents and automate workflows. The tool's platform reporting capabilities include built-in and custom reports supporting a number of security and compliance requirements.

Organizations can purchase the RSA NetWitness Platform as a term or perpetual license and deploy it as a software, appliance or virtual appliance, in any combination. Pricing for the RSA NetWitness Platform is based on either data throughput for RSA NetWitness Logs and Packets, users monitored for RSA NetWitness UEBA, number of analysts using RSA NetWitness Orchestrator, or capacity -- appliance hardware. Organizations can mix and match software and appliance licenses for granular capacity and growth.

Splunk Inc. Enterprise Security

Splunk Enterprise Security (ES) is a component of Splunk Enterprise, and it offers the ability to search, monitor and analyze data to deliver insights about security using SIEM software.

Splunk ES uses analytics that enable security teams to find, investigate and respond to internal and external attacks. The software aggregates security events as soon as the sources generate them.

Event Sequencing offers the ability to group correlated searches into clusters of events. Splunk claims this clustering enhances the visibility and responsiveness of events and speeds up investigations.

Additional security capabilities include Splunk's Adaptive Response. With this feature, users can apply changes to adapt to the tactics of a given attacker. Splunk ES incorporates with Splunk User Behavior Analytics, where unsupervised machine learning algorithms provide anomaly and threat detection. Splunk has also expanded its security tools to keep track of the ever-growing mass of data.

The Use Case Library feature can help organizations bolster security with relevant content by automatically determining which uses cases are most relevant to their own environment based on the ingested data.

Companies can also use the platform to create, curate, install and manage content, which can help reduce risk by providing faster detection and incident response to new threats. In addition, Splunk ES provides ad hoc searching and reporting capabilities for breach analysis, Splunk claims.

Splunk bases pricing for Splunk ES on maximum daily volume of data indexed in GB per day.